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Description 

ENCRYPTION APPARATUS, ENCRYPTION 
METHOD, AND ENCRYPTION SYSTEM 

CROSS REFERENCE TO RELATED APPLICATIONS 

[0001] This Application is a Continuation of International Appli- 
cation PCT/JP03/05265 filed on April 24, 2003. Interna- 
tional Application PCT/JP03/05265 claims priority to 
Japanese Application 2002-134680 filed on May 9, 2002. 
FIELD OF THE INVENTION 

[0002] The present invention relates to an encryption apparatus, 
an encryption method and an encryption system. In par- 
ticular, this invention relates to an apparatus, a method 
and a system for encrypting/decrypting information to re- 
duce risks of interception of information, change of infor- 
mation and the like that might be caused by attacks on 
networks from the outside. 
BACKGROUND OF THE INVENTION 

[0003] When a PC (personal computer) is used as a stand-alone 



system, there are small risks of interception, change and 
destruction of information on the PC. However, on a net- 
work system like the Internet, information to be transmit- 
ted is routed through a number of networks. Therefore, 
once the PC is connected to such a network system, the 
risks of interception, change and the like can be largely 
increased during information communications. 

[0004] One of systems for solving the above-mentioned problem 
is an information encryption system. In this system, infor- 
mation to be transmitted is first encrypted at a transmis- 
sion PC, and then the transmission PC transmits the en- 
crypted data to a destination PC. The destination PC re- 
ceives and decrypts the encrypted data to use it appropri- 
ately. According to the system, since information to be 
transmitted is encrypted in advance, the risk of disclosure 
of information can be reduced even when the information 
is intercepted in the course of traveling on the network 
toward the destination PC. Further, by the encryption, the 
risk of change of the information can also be reduced. 

[0005] However, if trying to realize an encryption system as de- 
scribed above, it is necessary to install a dedicated en- 
cryption program (encryption software program) to all ter- 
minals involved in the encrypted data communications. 



Now, it is to be noted that, actually, examples of networks 
formed of various terminals include LANs (local area net- 
works) in companies as well as the Internet. Generally, 
each of such LANs include: 

[0006] (A)Terminals (e.g., a printer, a facsimile and the like) 

where installation of an encryption program is impossible 
for the reason of its design and structure; 

[0007] (B)Terminals (e.g., a print server, a database server, and 

the like) where excessive installation of software programs 
is not preferred in view of stable operations; and 

[0008] (C)Terminals that function simply as network terminals 
and that have no operating system. 

[0009] Therefore, it has generally been very difficult to use an 
encryption system in the LANs of various companies. 

[0010] Actually, a number of LANs are connected to the Internet 
so that PCs of the LANs can access the Internet from the 
inside of the LANs to perform data communicates. How- 
ever, once the LANs are connected to the Internet, there 
are the risks of interception and change of confidential in- 
formation inside the LANs by unauthorized entries and at- 
tacks from the outside. 

[0011] To successfully prevent someone who has no authoriza- 
tion from entering (accessing) LANs, a firewall system is 



generally used. When installing the firewall system, a 
server having a software program for the firewall system 
is prepared, and the server is provided between the Inter- 
net and a LAN. However, there is a case that networks 
have security holes therein, even when the firewall system 
has been installed. Through such security holes in the 
networks, a number of unauthorized accesses can be 
made from the outside of the networks. Therefore, a fire- 
wall system as described above has a problem in that 
non-encrypted information in the networks can be easily 
intercepted and changed, once an unauthorized access 
has been made through a security hole. 

[0012] Conventionally, there have been routers for routing and 
relaying data that travels on the Internet, and some types 
of such routers have an encrypting capability. For exam- 
ple, a VPN (Virtual Private Network) router is provided as 
such a router having encrypting capability. This type of 
router makes it possible to perform encrypted-data com- 
munications between VPN routes, without installing a 
dedicated encryption program onto the transmitting and 
destination terminals. 

[0013] However, the VPN router is designed as a relaying device 
on virtual private networks, and is actually used for con- 



necting a plurality of LANs via tlie Internet. Therefore, 
there has been a problem in that although information to 
be communicated among the LANs can travel in the form 
of encrypted state on the Internet (i.e., outside the LAN), it 
cannot travel in the form of the encrypted state inside the 
LANs. 

[0014] Jo encrypt data on a VPN router, it is necessary for the 
router to have an IP address for data communications as 
described below by referring to FIG. 1. FIG. 1 shows a hi- 
erarchical structure of the protocol used for the conven- 
tional VPN router and the PC (personal computer) con- 
nected to the router. 

[0015] As shown in FIG. 1, two PCs 101 and 102 have ports 105 
and 106, respectively, so that they can perform data com- 
munications with each other. Further, each of VPN routers 
103 and 104 is designed as a relaying apparatus, and has 
two ports 107 and 108 (109 and 110). Each of the ports 
107 and 108 of the VPN router 103 is provided with an IP- 
Sec, a MAC layer (data link layer) and a physical layer of 
the OSI reference model. In addition, an IP layer (network 
layer) and a TCP/UDP layer (transport layer) are assigned 
to the ports 107 and 108 as common layers, so that the IP 
and TCP/UDP layers are commonly used by the ports 107 



and 108. In the same manner, the ports 109 and 110 of 
the VPN router 104 are provided with a plurality of layers. 

[0016] In this hierarchical structure of the protocol, the lower 

layer is farther from a user, and the higher layer is closer 
to the user. In each of the PCs 101 and 102, the TCP/UDP 
layer and the application layer (not shown in the drawings) 
are above the IP layer, and they are used for communica- 
tions between a user application and lower layers. 

[0017] When data is transmitted from a transmission end to a re- 
ception end, data is first converted on the transmission 
end, each time the data passes each layer from an upper 
layer to a lower layer. In addition, each time the data 
passes each layer, header information for enabling data 
exchange between the same level layers is added to the 
data. On the other hand, on the reception end, each layer 
refers to the header information addressed to its layer, 
and extracts necessary data. Then, the extracted data is 
passed to upper layers, and finally delivered to the user 
through the application layer. 

[0018] In the following, functions of each of the layers will be de- 
scribed. The TCP/UDP layer is used in: determining an ap- 
plication to which data is passed; managing conditions of 
data packets; and achieving other operation. On the data 



transmission end, data is passed from the upper layer 
(application layer), and then it determines an application 
to which the data is passed at the reception end. After the 
determination, a destination port number is added to the 
data, and then the data is passed to the lower layer 
(network layer). On the other hand, on the data reception 
end, data packets passed from the lower layer are moni- 
tored to judge that whether or not there is a missing 
packet due to the communications condition and the like. 

[0019] The IP layer is used in managing and controlling data re- 
transmission (relay) performed between terminals over a 
plurality of networks. The PC (transmission end) 101 and 
the PC (reception end) 102 are assigned different IP ad- 
dresses <1> and <6>, respectively, to define their re- 
spective addresses. Thus, the end-to-end type of logical 
communications path is established. For the VPN router 
103 (104) having the two ports 107 and 108 (109 and 
110), different IP addresses are assigned to the ports 107 
- 110, respectively. 

[0020] The MAC (media access control) layer is used in ensuring 
reliable data transmission between adjacent nodes 
(devices). To the MAC layer on each device, a physical 
MAC address is assigned when manufacturing the device. 



On the transmission end, an IP address of tlie reception 
end is read out in tlie IP layer. Then, based on the read 
out IP address of the reception end, the MAC layer deter- 
mines a next relaying point (i.e., one of adjacent nodes 
that are physically connected to the transmission end) to 
which the data is to be sent. In addition, it finds out an IP 
address of the next relaying point. On the other hand, on 
the reception end, it is judged based on the MAC address 
that whether or not the received data packet is addressed 
to its own end. When judged that it is addressed to the 
reception end, the IP address is further analyzed in the IP 
layer above the MAC layer. Then, according to the analysis 
result, it is determined that whether the data packet is to 
be further routed to another node, or to be stored therein. 
[0021] A physical layer is used in: converting data received from 
upper layers into a signal such as an electric signal and an 
optical signal; transmitting the data signal through a 
transmission line 111 such as a coaxial cable and an opti- 
cal fiber cable; converting the data signal transmitted 
through the transmission line 111 into the data recogniz- 
able by upper layers; and passing the data to upper layers. 
In the MAC layer above the physical layer, the above- 
mentioned process is performed in a manner depending 



on the communications interface of the physical layer. 

[0022] The IP-Sec has a function of performing an encrypting 
process and a decrypting process on data. According to 
the function, the encrypting/decrypting process is per- 
formed on data passed from the MAC layer. 

[0023] When the encrypted data communications are established 
between the PCs 101 and 102 using the VPN routers 103 
and 104 that utilize the above-mentioned hierarchical 
structure, for example, the VPN router 103 receives via 
the first port 107 data packets transmitted from the 
transmission PC 101 to the destination PC 102. At the VPN 
router 103, the received data packets are sequentially 
passed to the IP layer, and then at this layer, each data 
packet is divided into a header information part and a 
data part. At this time, the obtained data part is encrypted 
in the IP-Sec. Then, based on a destination IP address 
contained in the header information of each data packet, 
the VPN router 103 determines a next node to which the 
data is to be readdressed. This determination is made ac- 
cording to a routing table that the VPN router 103 has 
therein. Then, the VPN router 103 reproduces the data 
packets each of which includes a set of the encrypted data 
part and a header information part, and passes them from 



the IP layer to the physical layer. Finally, the VPN router 

103 retransmits (relays) them via the second port 108. 
[0024] The encrypted packets (i.e., the data packets each of 

which includes the encrypted data part as well as the 
header information part) outputted from the second port 

108 of the VPN router 103 are received at the first port 

109 of the VPN router 104. The VPN router 104 sequen- 
tially passes the received encrypted packets to the IP layer 
through the below layers, and then at this layer, each en- 
crypted packet is divided into the header information part 
and the encrypted data part. At this time, the encrypted 
data part is decrypted in the IP-Sec. Then, based on a 
destination IP address contained in the header information 
of each encrypted data packet, the VPN router 104 deter- 
mines a next node to which the data is to be readdressed. 
This determination is made according to a routing table 
that the VPN router 104 has therein. Then, the VPN router 

104 reproduces the data packets each of which includes a 
set of the decrypted data part and a header information 
part, and passes them to the physical layer from the IP 
layer. Finally, the VPN router 104 retransmits (relays) them 
via the second port 110. 

[0025] The data packets outputted from the second port 110 of 



the VPN router 104 is received by the PC 102. The re- 
ceived data pacl<ets are sequentially passed to an upper 
layer through the physical layer, the MAC layer and the IP 
layer. In the upper layer, each of the data packets is di- 
vided into the header information part and the data part. 
Finally, the data is delivered to the user through the appli- 
cation layer (not shown). The above-mentioned manner 
makes it possible for the PCs 101 and 102 to perform en- 
crypted data communications on a network between the 
VPN routers 103 and 104, in spite of the fact that the PCs 
101 and 102 have no encryption software program. 
[0026] In the case of the system shown in FIG. 2, the VPN routers 
103 and 104 are provided between different networks 
(i.e., a network A including the PC 101 and a network B 
including the PC 102), and these networks connected to 
the VPN routers form a part of the Internet. In this net- 
work structure, a unique network address has to be as- 
signed to each network. Therefore, it is also necessary for 
each of the VPN routers 103 and 104 to have a unique IP 
address, so that routing between different networks can 
be performed. (The routing operation includes operations 
of determining a packet transmission route, discarding 
data packets if necessary, dividing/reproducing a data 



packet.) However, such an address setting operation is 
complicated, and therefore the VPN router has a problem 
in that point. 

[0027] In each of the VPN routers 103 and 104, the network con- 
nected to the first port 107 (109) is generally different 
from the network connected to the second port 108 (110). 
Therefore, IP addresses assigned to the ports of the VPN 
router have to be different from each other. In other 
words, the input and output ports of the VPN routers 103 
and 104 have to have a different IP address, respectively. 
For the reason described above, when a VPN router is pro- 
vided between terminals on a network, it is necessary not 
only to set a predetermined address onto the VPN router, 
but also to change an address setting of each terminal 
that is to be connected to the VPN router. In addition, the 
above-mentioned address setting operation also has to be 
conducted when a VPN router is removed from a network. 
Therefore, the VPN router also has a problem in requiring 
complicated setting operations when it uses. 

[0028] For example, in the case where the PCs the 101 and 102 
are connected without using the VPN routers 103 and 
104, the PCs 101 and 102 are on the same network. 
Therefore, when performing data communications in this 



case, the PCs the 101 and 102 can exchange data there- 
between, directly. FIG. 2A shows IP addresses of a data 
packet in this case (i.e., in the case of transmitting data 
from the PC 101 to the PC 102 in end-to-end manner). As 
is apparent from FIG. 2A, in this case, the setting of the IP 
addresses <1> and <6> of the transmission and recep- 
tion PCs 101 and 102 is completed simply by setting the 
network addresses thereof at the same address "A". 
[0029] On contrast with this, FIG. 2B shows an IP address of a 
data packet in the case of providing the VPN routers 103 
and 104 between the PCs 101 and 102. In this case, the 
PCs 101 and 102 are on different networks, respectively. 
Therefore, when completing the setting of the IP ad- 
dresses <1> and <6> of the PCs 101 and 102 in this 
case, it is necessary to set the network addresses of the 
PCs 101 and 102 at the different addresses "A" and "B", 
respectively. 

[0030] Accordingly, networks to which the PCs 101 and 102 be- 
long change, depending on whether or not the VPN 
routers 103 and 104 are provided between the PCs 101 
and 102, and depending on whether or not the connected 
VPN routers 103 and 104 are removed. Therefore, when 
providing (or removing) the VPN routers 103 and 104, it is 



necessary to change and complete settings such as: 
[0031] (j)An address setting of a default gateway for the PCs 101 
and 102 (i.e., a destination IP address setting (the ports 
107 and 110 of the VPN routers 103 and 104) which is re- 
quired when performing data communications with a dif- 
ferent network); and 
[0032] (ii)An IP address setting of either PC 101 or 102. 

[0033] As described above, it is difficult for a conventional VPN 
router to maintain its transparency regardless of the con- 
nection and removal thereof. In addition, a conventional 
VPN router requires a laborious operation when designing 
and maintaining a system the router belongs. 

[0034] In view of the above, it is an object of the present inven- 
tion to allow an in-house LAN having terminals where in- 
stallation of a dedicated encryption program is impossible 
to utilize encryption for data communications inside the 
LAN, so that risks of interception and change of confiden- 
tial information inside the LAN by unauthorized entries 
and attacks form the outside are reduced. 

[0035] Further, it is another object of the present invention to al- 
low terminals inside an in-house LAN to perform en- 
crypted data communications without any laborious oper- 
ations such as an address setting operation. 



SUMMARY OF THE INVENTION 



[0036] In order to achieve the above objects, the present inven- 
tion is directed to an encryption apparatus, comprising: a 
plurality of ports to at least one of which a terminal hav- 
ing an encrypting capability can be directly or indirectly 
connected; encryption/decryption means for performing 
an encrypting process and a decrypting process on data to 
terminate encryption-based security between the terminal 
having the encrypting capability; and bridge means for al- 
lowing data, which has been received with one of the plu- 
rality of ports and then on which the encrypting or de- 
crypting process has been performed, to be outputted as 
it is from another port without being performed any rout- 
ing process. 

[0037] In another aspect of the present invention, the encryp- 
tion/decryption means performs the encrypting process 
and the decrypting process on data, so that the encryption 
apparatus receives and retransmits data in the form of 
encrypted data from and to the terminal having the en- 
crypting capability, and the encryption apparatus receives 
and retransmits the data in the form of non-encrypted 
data from and to the terminal having no encrypting capa- 
bility. 



[0038] Further, in order to achieve the above objects, the present 
invention is also directed to an encryption apparatus, 
comprising: a plurality of ports to at least one of which a 
terminal having an encrypting capability can be directly or 
indirectly connected; encryption/decryption means for 
performing an encrypting process or a decrypting process 
on data which has been received with one of the plurality 
of ports and then has passed through a physical layer and 
a data link layer; and bridge means for passing the en- 
crypted or decrypted data to the data link layer and the 
physical layer without passing said data to a network layer 
in which routing between networks is controlled, and then 
sending said data to another port so as to be outputted 
from said port. 

[0039] In another aspect of the present invention, the encryption 
apparatus further comprises setting information storage 
means for storing setting information for controlling the 
encrypting process and the decrypting process, wherein 
the encryption/decryption means controls the encrypting 
process and the decrypting process by comparing the set- 
ting information stored in the setting information storage 
means with header information of a data packet of the 
data received with one of the plurality of ports. 



[0040] Further, in order to achieve the above objects, the present 
invention is also directed to an encrypting method for 
performing an encrypting process and a decrypting pro- 
cess using an encryption apparatus, the apparatus having 
a plurality of ports to at least one of which a terminal hav- 
ing an encrypting capability can be directly or indirectly 
connected, the method comprising the steps of: perform- 
ing the encrypting or decrypting process on data which 
has been received with one of the plurality of ports and 
then has passed through a data link layer and a physical 
layer; and outputting the encrypted or decrypted data 
from another port through the data link layer and the 
physical layer, without passing said data to a network 
layer in which routing between networks is controlled. 

[0041] Further, in order to achieve the above objects, the present 
invention is also directed to an encryption system, com- 
prising: an encryption apparatus according to claim 1; and 
a terminal having an encrypting capability which can be 
connected to the encryption apparatus through a wireless 
or cable network. 

[0042] Further, in order to achieve the above objects, the present 
invention is also directed to an encryption system, com- 
prising: a terminal having an encrypting capability; a ter- 



minal having no encrypting capability; and an encryption 
apparatus according to claim 2 which can be connected 
between the terminal having the encrypting capability and 
the terminal having no encrypting capability through a 
wireless or cable network. 
BRIEF DESCRIPTION OF THE DRAWINGS 

[0043] FIG. 1 shows hierarchical structures for protocols on a 
conventional VPN router and two personal computers 
connected thereto; 

[0044] FIG. 2 shows a data structure of a data packet traveling on 
a network that uses a conventional system, which is re- 
ferred to in describing IP addresses therein; 

[0045] FIG. 3 shows an example of a configuration of an encryp- 
tion system to which an encryption apparatus according to 
the present invention is applied; 

[0046] FIG. 4 shows another example of the configuration of the 
encryption system; 

[0047] FIG. 5 shows another example of the configuration of the 
encryption system; 

[0048] FIG. 6 shows another example of the configuration of the 
encryption system; 

[0049] FIG. 7 shows hierarchical structures for protocols on the 

encryption apparatus according to the present invention, a 



DB server and a personal computer both of which are con- 
nected to the encryption apparatus; 

[0050] FIG. 8 shows a data structure of a data packet traveling on 
a network that uses the present invention, which is re- 
ferred to in describing IP addresses therein; 

[0051] FIG. 9 shows a data structure of a data packet traveling on 
the encryption apparatus according to the present inven- 
tion, which is referred to in describing MAC addresses 
therein; and 

[0052] FIG. 10 shows a data structure of a data packet traveling 
on a conventional VPN router, which is referred to in de- 
scribing MAC addresses therein. 
PREFERRED EMBODIMENTS OF THE INVENTION 

[0053] An embodiment according to the present invention will be 
described below by referring to the attached drawings. 

[0054] FIG. 3 shows an example of the entire configuration of an 
encryption system where an encryption apparatus of this 
embodiment is used. 

[0055] In FIG. 3, each of encryption apparatuses 1 of this embod- 
iment has two ports. To one of the ports, a terminal 
(device) such as a network printer 2, a DB server 3 and a 
network terminal 4 is connected. To the other port, a hub 
5 is connected. Each of the encryption apparatuses 1 is 



provided between the hub 5 and the terminal (i.e., the 
networl< printer 2, the DB server 3, or the networl< termi- 
nal 4), and relays data that is to be communicated there- 
between. 

[0056] The network printer 2 is a terminal onto which an encryp- 
tion program (encryption software program) cannot be in- 
stalled for the physical reasons such as its structure, de- 
sign and the like. The DB server 3 is a terminal onto which 
the encryption program can be installed, but it is not pre- 
fer to install such a program thereon in view of stable op- 
erations and the like. The network terminal 4 is a terminal 
which is provided with no operating system, and thus it is 
impossible to operate the encryption program on the ter- 
minal. Therefore, the following description will be given 
on the assumption that no encryption program is provided 
onto these terminals 2-4. 

[0057] The hub 5 is a device for relaying data in the physical 
layer of the OS! reference model. An access point 6 for 
wireless communications and a desktop PC (personal 
computer) 7 as well as the encryption apparatus 1 are 
connected to the hub 5. According to the configuration 
described above, the hub 5 in this example relays data 
among the encryption apparatus 1, the access point 6 and 



the desktop PC 7. 

[0058] By wireless, a desktop PC 8 and a laptop PC 9 are con- 
nected to the access point 6. The above-mentioned PCs 7 
- 9 are designed as to be able to store and operate an en- 
cryption program for encrypting/decrypting data, so that 
the encryption program can be installed thereon. In the 
following, the description will be given on the assumption 
that such an encryption program has already been in- 
stalled onto the PCs 7-9. 

[0059] As described above, each encryption apparatus 1 of this 
embodiment has two ports, and to one of the ports the 
PCs 7-9 having an encrypting capability are indirectly 
connected via the hub 5 (and the access point 6 in the 
case of the PCs 8 and 9). Further, to the other of ports, 
the terminal (i.e., the network printer 2, the DB server 3, 
or the network terminal 4) is directly connected. In this 
embodiment, the encryption apparatus 1, the network 
printer 2, the DB server 3, the network terminal 4, the hub 
5, the access point 6 and the PCs 7-9 constitute a LAN 
(local area network). 

[0060] In the LAN having a structure described above, data com- 
munications are made between: 

[0061] (i)The terminals onto which NO encryption program is in- 



stalled (i.e., the network printer 2, the DB server 3 and the 
network terminal 4); and 
[0062] (ii)The terminals onto which the encryption program has 
been installed (i.e., the PCs 7 - 9), via the encryption ap- 
paratus 1, the hub 5 and the access point 6. (In this con- 
nection, it should be noted that each of the terminals 2 - 
4 and 7-9 corresponds to a terminal of the claimed in- 
vention.) 

[0063] When performing data communications within the LAN in 
FIG. 3, each encryption apparatus 1 receives/retransmits 
data in the form of encrypted data from/to the PCs 7-9 
having the encryption program. In addition, each encryp- 
tion apparatus 1 performs the encrypting process and the 
decrypting process on data during the data communica- 
tions, so that the encryption apparatuses 1 receives/ 
retransmits data in the form of non-encrypted data from/ 
to their respective terminals 2-4 having NO encryption 
program. 

[0064] For example, when data is to be transmitted from the 
desktop PC 7 to the network printer 2 to print out the 
data, the data is first encrypted on the desktop PC 7 using 
the installed encryption program. Then, the desktop PC 7 
sends the encrypted data to the encryption apparatus 1 



via the hub 5. The encryption apparatus 1 receives and 
decrypts the encrypted data, and then retransmits (relays) 
the decrypted data to the networl< printer 2. 

[0065] Further, when the data managed by the DB server 3 is to 
be downloaded from the laptop PC 9, the laptop PC 9 first 
sends a data transmission request to the DB server 3. In 
response to the request from the laptop PC 9, the DB 
server 3 sends the requested data in the form of NON- 
encrypted data to the encryption apparatus 1. The en- 
cryption apparatus 1 receives the non-encrypted data, 
and then encrypts the received data. Then, the encryption 
apparatus 1 retransmits the encrypted data to the laptop 
PC 9 via the hub 5 and the access point 6. Finally, the lap- 
top PC 9 receives and decrypts the encrypted data, so that 
the requested data can be processed appropriately for a 
desired purpose on the laptop PC 9. 

[0066] As described above in detail, the encryption apparatus 1 
of this embodiment can be applied to a LAN (in particular, 
an in-house LAN) including terminals such as the termi- 
nals 2-4 where installation of a dedicated encryption 
program is impossible. Thus, when the encryption appa- 
ratus 1 is used in such a LAN, it becomes possible to per- 
form encrypted-data communications even within the 



above-mentioned LAN including the terminals 2-4 where 
installation of a dedicated encryption program is impossi- 
ble. Therefore, use of the encryption apparatus 1 of this 
invention makes it possible to realize a secure network 
10, where risks of interception and change of confidential 
information inside the LAN are small, even when someone 
who unauthorized enters and attacks the network from 
the outside. 

[0067] In this connection, it should be noted that although the 
encryption cannot be used between the encryption appa- 
ratuses 1 and their respective terminals 2 - 4, no security 
problems occur therebetween. This is because cables 11 
connecting the encryption apparatuses 1 to the terminals 
2 - 4 are physically short, and therefore there is smallest 
possibility that data is intercepted and changed by the at- 
tack from these short cables 11. 

[0068] FIG. 4 shows another example of the configuration of the 
encryption system to which the encryption apparatus of 
this embodiment is applied. In FIG. 4, an apparatus having 
the same function as that shown in FIG. 3 is assigned the 
same reference numeral. As shown in FIG. 4, the encryp- 
tion apparatus 1 of this example is connected to Internet 
20 via one of the ports thereof, and is also connected to 



the hub 5 via the other port. 

[0069] In the example shown in FIG. 4, the encryption apparatus 
1, the hub 5, the access point 6 and the PCs 7-9 config- 
ure a LAN connected to the Internet 20. At the outside of 
the LAN, another plurality of terminals (not shown) are 
also connected to the Internet 20. Of course, such a plu- 
rality of terminals connected to the Internet 20 at the out- 
side of the LAN include terminals where installation of an 
encryption program is impossible (i.e., terminals like the 
network printer 2, the DB server 3 and the network termi- 
nal 4); and/or terminals where an encryption program has 
been installed (i.e., terminals like the PCs 7 - 9). These 
terminals configure another LAN different from the secure 
network (LAN) 10. 

[0070] In the example shown in FIG. 3, the terminal is connected 
to the encryption apparatus 1, one by one, and the en- 
crypting/decrypting process for one terminal is performed 
dedicatedly by one encryption apparatus 1. That is, the 
encryption apparatus 1 shown in FIG. 3 is connected be- 
tween the terminal having no encryption program and a 
group of the PCs 7-9 where the encryption program has 
been installed. In this system, the encryption apparatus 1 
terminates the encryption-based security (i.e., the security 



which utilizes encryption technology) with respect to the 
one terminal. 

[0071] On contrast with this, in the example shown in FIG. 4, the 
encryption apparatus 1 is provided between a group of 
the plurality of terminals (not shown) outside the secure 
network 10 and a group of the PCs 7-9 onto which the 
encryption program has been installed. (The outside ter- 
minals are connected to the secure network 10 via the In- 
ternet 20.) The above-mentioned plurality of terminals 
outside the secure network 10 may be provided with NO 
encryption program in the same manner as the network 
printer 2, the DB server 3 and the network terminal 4 
shown in FIG. 3. Alternatively, these terminals may also be 
provided with an encryption program in the same manner 
as the PCs 7-9. Accordingly, the single encryption appa- 
ratus 1 of this example is designed so as to be able to 
terminate the encryption-based security with respect to a 
plurality of terminals. In this case, the encryption appara- 
tus 1 has to have data paths for the respective connected 
terminals, and performs the encrypting/decrypting pro- 
cess using different encryption keys for the respective 
terminals. 

[0072] For example, when data is to be transmitted via the Inter- 



net 20 from the desktop PC 7 inside the secure network 
10 to an outside terminal (which is connected to the Inter- 
net 20 at the outside of the secure network 10) having NO 
encryption program, the data is first encrypted on the 
desktop PC 7 using the installed encryption program. 
Then, the desktop PC 7 sends the encrypted data to the 
encryption apparatus 1 via the hub 5. The encryption ap- 
paratus 1 receives the encrypted data and decrypts the 
received encrypted data, and then retransmits (relays) the 
decrypted data to the outside terminal via the Internet 20. 
[0073] Further, for example, when data managed by an outside 
terminal having NO encryption program is to be down- 
loaded from the laptop PC 9 inside the secure network 10, 
the laptop PC 9 first sends a data transmission request to 
the outside terminal. In response to the request, the out- 
side terminal transmits the requested data in the form of 
non-encrypted data via the Internet 20. Then, the encryp- 
tion apparatus 1 receives and encrypts the requested 
data, and then retransmits (relays) the requested data in 
the form of encrypted data to the laptop PC 9 via the hub 
5 and the access point 6. Finally, the laptop PC 9 receives 
and decrypts the encrypted data, so that the requested 
data can be processed appropriately for a desired purpose 



on the laptop PC 9. 

[0074] Furthermore, when data is to be transmitted from the 

desl<top PC 7 inside the secure networl< 10 to an outside 
terminal having an encryption program, the data is first 
encrypted on the desktop PC 7 using the installed encryp- 
tion program. Then, the desktop PC 7 sends the encrypted 
data to the encryption apparatus 1 via the hub 5. As soon 
as the encryption apparatus 1 receives the encrypted data, 
it retransmits (relays) the received data without any de- 
cryption to the outside terminal via the Internet 20. Fi- 
nally, the outside terminal decrypts the received data, so 
that the requested data can be processed appropriately 
for a desired purpose on the outside terminal. 

[0075] Conversely, when encrypted data on the outside terminal 
outside of the secure network 10 is to be transmitted via 
the Internet 20 to the desktop PC 7 inside the secure net- 
work 10, similarly the encryption apparatus 1 relays the 
data in the form of encrypted data to the desktop PC 7 via 
the hub 5, without decrypting the data received from the 
outside terminal via the Internet 20. 

[0076] Thus, even in the case where data communications are 

performed between any of the PCs 7-9 inside the secure 
network 10 and the outside terminal (which is connected 



to the Internet 20 at the outside of the secure network 10) 
with NO encryption program, the encryption-based secu- 
rity at least inside the secure network 10 can be main- 
tained. Of course, when the outside terminal has an en- 
cryption program, the encryption can be utilized in data 
communications not only inside the secure network 10, 
but also on the Internet 20 outside the secure network 10. 
[0077] Now, in the examples described above, the plurality of 
terminals are connected to the secure network 10 via the 
Internet 20, but a manner of the connection is not limited 
to these examples. For example, the plurality of terminals 
may be connected directly to the encryption apparatus 1 
or connected via a hub. In this connection, when connect- 
ing directly, the encryption apparatus 1 has to have at 
least two ports. 

[0078] FIG. 5 shows another example of the configuration of the 
encryption system to which the encryption apparatus of 
this embodiment is applied. In FIG. 5, a terminal having 
the same function as that shown in FIG. 3 is assigned the 
same reference numeral. Similar to the example shown in 
FIG. 4, the example in FIG. 5 is also directed to a case of 
the encryption apparatus 1 terminating the encryption- 
based security with respect to a plurality of terminals. 



[0079] In the example of the secure network 10 shown in FIG. 5, 
all of the PCs 7 - 9 are connected to the access point 6 so 
as to form a wireless LAN. Further, the access point 6 is 
connected to the Internet 20 via the encryption apparatus 
1. 

[0080] FIG. 6 shows another example of the configuration of the 
encryption system to which the encryption apparatus of 
this embodiment is applied. In the above, with referring to 
FIGS. 3-5, the PCs 7-9 having an encryption program 
were described as examples of a terminal having the en- 
crypting capability. Further, the termination of the security 
between the encryption apparatus 1 and a group of the 
PCs 7-9 was described as an example of the termination 
using a terminal with an encrypting capability. However, a 
terminal with encrypting capability which can be used in 
this invention is not limited to these examples. Namely, 
examples of such a terminal include other encryption ap- 
paratuses having a capability similar to that of the encryp- 
tion apparatus 1. One of such examples is shown in FIG. 
6. 

[0081] In the example shown in FIG. 6, a LAN 30A at a local area 
A and a LAN BOB at a local area B are connected with 
routers 40A and 40B via the Internet 20. The LAN 30A at 



local area A is designed as an in-house LAN including PCs 
31A - 33A and encryption apparatuses lA ^ - lA ^. In the 
LAN BOA, each of the PCs 31A - 33A corresponds to a ter- 
minal having NO encryption program. Further, each of the 
encryption apparatuses lA ^ - lA ^ has the same function 
as that of the encryption apparatus 1 shown in FIG. 3. To 
one of ports of each of the encryption apparatuses lA ^ - 
lA ^, the router 40A is connected. To the other ports of 
the encryption apparatuses lA ^ - lA ^, the PCs 31A - 
33A are connected, respectively. 
[0082] Similarly, the LAN 30B at local area B is also designed as 
an in-house LAN including PCs 31B - 33B and encryption 
apparatuses 1B_^ - 1B_^. In the LAN 30B, each of the PCs 
3 IB - 33B corresponds to a terminal having NO encryp- 
tion program. Further, each of the encryption apparatuses 
IB ^ - IB ^ has the same function as that of the encryp- 
tion apparatus 1 shown in FIG. 3. To one of ports of each 
of the encryption apparatuses IB ^ - IB ^, the router 40B 
is connected. To the other ports of the encryption appara- 
tuses 1B_^ - 1B_^, the PCs 3 IB - 33B are connected, re- 
spectively. 

[0083] vvith the above-mentioned network structure, when data 
communications are preformed among the PCs belonging 



to the different LANs 30A and 30B, data is transmitted/re- 
ceived via tlie encryption apparatuses lA ^ - lA ^ and IB ^ 
- IB ^. For example, when data is to be transmitted from 
the PC 31A in the LAN BOA to the PC 33B in the LAN BOB, 
the PC 31A first sends the data to the encryption appara- 
tus lA ^. The encryption apparatus lA ^ receives and en- 
crypts the data, and then retransmits (relays) the en- 
crypted data to the encryption apparatus IB ^ via the 
router 40A, the Internet 20 and the router 40B. The en- 
cryption apparatus IB ^ receives and decrypts the en- 
crypted data, and then further retransmits (relays) the de- 
crypted data to the PC 33B. In this way, data communica- 
tions utilizing the encryption can be achieved between the 
different LANs 30A and 30B. 
[0084] Further, in this example, when data communications are 
performed inside the LAN 30A (i.e., among the PCs 31A - 
33A having NO encryption program), data is transmitted/re- 
ceived via the encryption apparatuses lA ^ - lA ^. For ex- 
ample, when data is to be transmitted from the PC 31A to 
the PC 33A, the PC 31A first sends the data to the encryp- 
tion apparatus lA ^. The encryption apparatus lA ^ re- 
ceives and encrypts the data, and then retransmits (relays) 
the encrypted data to the encryption apparatus lA . The 



encryption apparatus lA ^ decrypts the received en- 
crypted data, and tlien further retransmits (relays) the de- 
crypted data to the PC 33A. 

[0085] Similarly, when data communications are performed inside 
the LAN 30B (i.e., among the PCs 3 IB - 33B having NO 
encryption program), data is transmitted/received via the 
encryption apparatuses IB ^ - IB ^. For example, when 
data is to be transmitted from the PC 31B to the PC 33B, 
the PC 3 IB first sends the data to the encryption appara- 
tus IB ^. The encryption apparatus IB ^ receives and en- 
crypts the data, and then retransmits (relays) the en- 
crypted data to the encryption apparatus IB ^. The en- 
cryption apparatus IB ^ decrypts the received encrypted 
data, and then further retransmits (relays) the decrypted 
data to the PC 33B. 

[0086] As described above, in this example, the encryption appa- 
ratuses 1A_^ - 1A_^ and IB ^ - IB ^ receive/retransmit 
data in the form of NON-encrypted data from/to their re- 
spective PCs 31A - 33A and 3 IB - 33B having NO encryp- 
tion program. On the other hand, the encryption appara- 
tuses lA ^ - lA ^ and IB ^ - IB ^ perform the encrypting 
process and the decrypting process, so that any one of 
the encryption apparatuses lA - lA and IB - IB 



receives/retransmits data in the form of encrypted data 
from/to one of the other encryption apparatuses. 
[0087] By connecting the above-mentioned encryption appara- 
tuses lA - lA and IB - IB closer (directly) to the 
-1 -3 -1 -3 ^ 

PCs 31A - 33A and 3 IB - 33B respectively, data commu- 
nications using the encryption can be realized not only 
between different LANs 30A and 30B, but also inside an 
in-house LAN which includes PCs with NO encryption pro- 
gram. This mal<es it possible to configure each of the 
LANs 30A and 30B as a secure network almost free of the 
risks of interception and change of confidential informa- 
tion by unauthorized entries or attacks form the outside. 
[0088] In the example shown in FIG. 6, each of the LANs 30A and 
30B is provided with a plurality of terminals having the 
encrypting capability (i.e., the encryption apparatuses lA ^ 
- lA and IB - IB ). However, this invention is not 

-3 -1 -3 

limited to this example, and it may be formed by provid- 
ing at least one of the LANs 30A and 30B with only one 
terminal having the encrypting capability. For example, 
the LAN 30A may be formed from a single PC 31A and a 
single encryption apparatus lA ^ connected to the PC 
31 A. 

[0089] In this example, similar to the example shown in FIG. 6, 



data communications using the encryption can also be re- 
alized between the different LANs 30A and SOB. Further, 
when the encryption apparatus lA ^ is connected closer to 
the PC 31A, the encryption can also be used in data trans- 
mission between an enter/exit point of the LAN 30A and 
the encryption apparatus lA ^ inside the LAN 30A. 

[0090] In the example shown in FIG. 6, two LANs BOA and 30B 

are connected via the Internet 20. Further, the LAN BOA is 
provided with the encryption apparatuses lA - lA and 
the PCs 31A - 33A, and the LAN 30B is provided with the 
encryption apparatuses IB ^ - IB ^ and the PCs 31B - 
33B. However, it should be noted that configuration of 
this invention is not limited to this example. 

[0091] For example, a single LAN may be provided with all of the 
encryption apparatuses lA ^ - lA ^ and IB ^ - IB ^ and 
the PCs 31A - 33A and 31B - 33B, so that data communi- 
cations can be achieved inside the LAN among the PCs 
31A - 33A and 3 IB - 33B having NO encryption program 
via the encryption apparatuses lA ^ - lA ^ and IB ^ - IB 
^. In this case, at least among the encryption apparatuses 
1A_^ - 1A_^ and 1B_^ - IB^ inside the single LAN, data 
communications using the encryption can be realized. 

[0092] Further, for another example, a LAN may be designed so 



as to have the same arrangement as that shown in FIG. 3, 
except that the desktop PC 7 having the encryption pro- 
gram is changed to a set of a PC with no encryption pro- 
gram and the encryption apparatus 1 that is to be con- 
nected to the hub 5. In this example, encrypted-data 
communications can be achieved between the PC with no 
encryption program and one of the network printer 2, the 
DB server 3 and the network terminal 4, via their respec- 
tive encryption apparatuses 1 connected closer thereto. 
[0093] FIG. 7 shows the hierarchical structure of the protocols 
used for the encryption apparatus 1, the DB server 3 and 
the PC 9 connected to the encryption apparatus 1 (which 
are used in the encryption system shown in FIG. 3). In the 
example shown in FIG. 7, the laptop PC 9 is provided with 
the encryption program, and the DB server 3 is provided 
with NO encryption program. (This means that the laptop 
PC 9 has IP-Sec, and the DB server 3 has no IP-Sec.) The 
encryption apparatus 1 of this embodiment is provided 
between the DB server 3 and the laptop PC 9. The exam- 
ple in FIG. 7 shows a case where the DB server 3 sends 
data stored therein to the encryption apparatus 1, and 
then the encryption apparatus 1 encrypts the received 
data before retransmitting it to the PC 9. 



[0094] As shown in FIG. 7, the DB server 3 and the PC 9 have 

ports 31 and 32, respectively. Further, the encryption ap- 
paratus 1 in FIG. 7 is designed so as to function as a relay 
device with two ports 33 and 34. In the encryption appa- 
ratus 1, the physical layer and the MAC layer (data link 
layer) are provided for each of the ports 33 and 34. In ad- 
dition, for the ports 33 and 34, the IP-Sec 
(encrypting/decrypting capability), the IP layer (network 
layer) and the TCP/UDP layer (transport layer) are provided 
as common layers. As a result of this arrangement, the 
encryption apparatus 1 of this embodiment is character- 
ized in that the IP-Sec serves as a bridge which links the 
two ports 33 and 34. 

[0095] In this embodiment, the term "bridge" indicates a function 
of sending data just as it is (which has inputted therein via 
one of the ports and then on which the encrypting or de- 
crypting process has been performed) to another port 
without performing any routing process. In more detail, in 
the example shown in FIG. 7 data is inputted via the first 
port 33, and then the decrypting process is performed on 
the inputted data at the IP-Sec. Then, without performing 
on the encrypted data any routing process at the IP layer, 
the encrypted data (just as it is) is sent to and outputted 



from the second port 34. (In other words, without passing 
the encrypted data to the IP layer, the data after the de- 
cryption, just as it is, is sent to and outputted from the 
second port 34.) This manner corresponds to the above- 
mentioned "bridge" process. Namely, in the encryption 
apparatus 1 according to the present embodiment, the IP 
layer and the TCP/UDP layer are not used in the data 
transmission between the DB server 3 and the PC 9, and 
the data transmission process is carried out in layers 
lower than the IP layer. 
[0096] In the example shown in FIG. 7, each data packet pro- 
duced on the DB server 3 is first outputted therefrom 
through the MAC layer and the physical layer. The data 
packet outputted from the DB server 3 is then received by 
the encryption apparatus 1 via the first port 33. In the en- 
cryption apparatus 1, the received data packet is passed 
to the IP-Sec through the physical layer and the MAC 
layer. In the IP-Sec, the encryption process is performed 
on a data part of the data packet. The encrypted data 
packet (i.e., the data packet including the encrypted data 
part) is sent to the second port 34 through the MAC layer 
and the physical layer, and then the encrypted data packet 
is outputted from the second port 34. 



[0097] The data packet outputted from the second port 34 of the 
encryption apparatus 1 is then received by the PC 9, and 
is passed to the IP-Sec through the physical layer and the 
MAC layer. In the IP-Sec at the PC 9, the encrypted data 
packet is decrypted, and then the decrypted data packet is 
passed to the application layer (not shown) through the IP 
layer. In this way, in spite of the fact that an encryption 
program is not installed on the DB server 3, data can be 
transmitted in the form of encrypted data to the PC 9. 

[0098] In this embodiment, the IP layer and the TCP/UDP layer on 
the encryption apparatus 1 are used when inputting vari- 
ous information for the encryption/decryption therein. In 
detail, various information such as the following informa- 
tion (A) - (E) is inputted using the IP layer and the TCP/ 
UDP layer, so that the setting of the encryption apparatus 
1 for the encrypted-data communications is completed. 

[0099] (A)lnformation for instructing the encrypting/decrypting 
process: This information instructs to perform data com- 
munications in the encryption manner when communicat- 
ing between predetermined terminals, and also instructs 
to perform data communications in the non-encrypted 
manner when communicating between the other termi- 
nals. 



[0100] (B)lnformation for instructing to discard data packets: This 
information instructs to discard data pacl<ets, wlien data 
pacl<ets to be communicated between predetermined ter- 
minals have been received. 

[0101] (C)lnformation for instructing a security level of the en- 
cryption when performing data encryption. 

[0102] (D)lnformation for instructing time when data encryption 
is to be performed. 

[0103] (E)lnformation for encryption keys. 

[0104] jhe setting information as described above is stored in a 
memory with the bridge function of the IP-Sec. When con- 
trolling the encrypting/decrypting process and other pro- 
cesses, the IP-Sec compares the setting information 
stored in the memory with header information (i.e., a 
source IP address and a destination IP address) that is in- 
cluded in a data packet inputted via the port 33 (34). 

[0105] As described above, in the IP-Sec, the encryption appara- 
tus 1 of this embodiment performs the encryption/de- 
cryption process on data that has been inputted via one of 
the ports. Further, the encryption apparatus 1 sends the 
encrypted/decrypted data just as it is to another port 
without passing this data to the IP layer (i.e., without per- 
forming any routing process). This makes it possible for 



the encryption apparatus 1 to operate with no IP address 
during data communications. This means that the encryp- 
tion apparatus 1 can perform the data encryption/decryp- 
tion during data communications, in spite of the fact that 
it has no IP address. Therefore, according to the present 
invention, the encryption apparatus 1 is free of the labori- 
ous setting operation for an IP address. 
[0106] Further, for the reasons described above, even when the 
encryption apparatus 1 is provided between adjacent ter- 
minals, these terminals still belong to the same networl<. 
This means that there is no need for the input and output 
ports of the encryption apparatus 1 to have different IP 
addresses. Therefore, the transparency of the IP address 
can be maintained regardless of the connection of the en- 
cryption apparatus 1 on the network. In other words, it is 
not necessary to set or change IP addresses of terminals 
connected to the encryption apparatus 1 when connect- 
ing/removing the encryption apparatus 1 to/from the net- 
work. 

[0107] For example, in the case where the communications are 
directly performed between the DB server 3 and the PC 9 
without connecting the encryption apparatus 1, the IP ad- 
dress of a data packet communicated between the DB 



server 3 and the PC 9 is as shown in FIG. 8. In this con- 
nection, it should be noted that, even in the case where 
the encryption apparatus 1 is connected between the DB 
server 3 and the PC 9 as shown in FIG. 7, the IP address of 
a data packet communicated between the DB server 3 and 
the PC 9 is unchanged (i.e., that is also as shown in FIG. 
8). Therefore, it is not necessary to change the address 
settings regardless of the connection of the encryption 
apparatus 1. 

[0108] Thus, when arranging or maintaining a networl< system, it 
is necessary only to connect/remove the encryption appa- 
ratus 1 of this embodiment to/from an appropriate point 
of the network system. In other words, it is needless to 
perform a laborious setting operation for an IP address. 
Therefore, the load of users is considerably reduced. 

[0109] Further, according to the present embodiment, the trans- 
parency for the MAC address can also be maintained. FIG. 
9 shows a data structure of a data packet in the case 
where the encrypted apparatus 1 performs the encryption 
on data that is to be transmitted to the PC 9 from the DB 
server 3. FIG. 10 is a drawing for the comparison with FIG. 
9, which shows a data structure of a data packet in the 
case where the VPN router 103 in FIG. 1 performs the en- 



cryption on data that is to be transmitted to the PC 101 
from the PC 102. 
[0110] In FIGS. 9 and 10, FIGS. 9A and lOA show the data packets 
received with the first ports 33 and 107, respectively. Fur- 
ther, FIGS. 9B and lOB show the data packets to be re- 
transmitted from the second ports 34 and 108, respec- 
tively. In this connection, the IP-Sec operates in two 
modes of a transport mode and a tunnel mode. In the 
transport mode, the encryption is performed only on a 
data part of a data packet. On the other hand, in the tun- 
nel mode, the encryption is performed on entire of a data 
packet, and then new header information is added to the 
encrypted data packet. In FIGS. 9B and lOB, the data 
packet to be transmitted from the second port is shown in 
the two modes. 

[0111] As clearly shown in FIG. 9, according to the present em- 
bodiment, not only the IP addresses, but also the MAC ad- 
dresses are NOT different between the data packet re- 
ceived with the first port 33 and the data packet to be 
transmitted from the second port 34. This means that in 
the example shown in FIG. 9, transparency for the MAC 
address is maintained. That is, the encryption apparatus 1 
according to the present embodiment merely passes the 



data inputted from one port to another port except having 
the IP-Sec and performing the encrypting/decrypting pro- 
cess with the IP-Sec. Therefore, even when communicat- 
ing a data packet which has no MAC address, the en- 
crypted apparatus can relay the data packet. 
[0^12] In the above-mentioned embodiment, the IP layer is used 
as an example of a network layer which is the third layer 
of the OSI reference model. However, this invention is not 
limited to this example, and an IPX (Internetwork Packet 
exchange) layer which is a protocol used on the network 
OS produced by Novell, inc. may be used for the network 
layer, instead of the IP layer. Alternatively, any other pro- 
tocol may also be used, as long as it can cooperate with 
the IP-Sec. 

[0113] The above-mentioned embodiments of the present inven- 
tion are a few of examples of this invention, and the scope 
of invention is not limited to them. Therefore, various 
modifications and changes can be made without departing 
from the spirit and the scope of the invention. 

[0114] According to the present invention described above, the 
encryption apparatus is provided with encryption/decryp- 
tion means for performing an encrypting/decrypting pro- 
cess on data to terminate encryption-based security be- 



tween the encryption apparatus and a terminal liaving an 
encrypting capability. By connecting the encryption appa- 
ratus between terminals via a network, it becomes possi- 
ble for an in-house LAN having terminals where installa- 
tion of a dedicated encryption program is impossible to 
utilize encryption for data communications inside the 
LAN. As a result, risks of interception and change of con- 
fidential information inside the LAN by unauthorized en- 
tries and attacks form the outside are reduced. 
15] Further, according to the present invention, the encryption 
apparatus outputs encrypted or decrypted data without 
passing the data to a network layer in which routing be- 
tween networks is controlled. This feature makes it possi- 
ble for the encryption apparatus to perform data commu- 
nications without no IP address. Furthermore, since there 
is no need for the input and output ports of the encryp- 
tion apparatus to have different IP addresses, the trans- 
parency of the IP address of the encryption apparatus can 
be maintained regardless of the connection thereof on a 
network. In addition, it is not necessary to set or change 
IP addresses of terminals connected to the encryption ap- 
paratus when connecting/removing the encryption appa- 
ratus to/from the network. This allows terminals inside an 



in-house LAN to perform encrypted data communications 
without any laborious operations sucli as an address set- 
ting operation. 
INDUSTRIAL UTILIZATION 

[0116] The present invention is preferably used in allowing an in- 
house LAN having terminals where installation of a dedi- 
cated encryption program is impossible to utilize encryp- 
tion for data communications inside the LAN, so that risks 
of interception and change of confidential information in- 
side the LAN by unauthorized entries and attacks form the 
outside are reduced. 

[0117] Further, the present invention is also used in allowing ter- 
minals inside an in-house LAN to perform encrypted data 
communications without any laborious operations such as 
an address setting operation. 



